Opened 6 years ago

Closed 4 years ago

#2143 closed enhancement (fixed)

Centralize certbot for SSL cert handling.

Reported by: TemptorSent Owned by: sac@…
Priority: normal Milestone:
Component: SysAdmin Keywords: SSL certbot


To reduce the number of certbot installations that must be configured and maintained individually, I propose moving certbot operations to a single primary location ('secure' VM would be a good option IMHO) and forwarding verification requests from each host using http redirects or proxying, and pushing out new keys to each host via ssh. See for a similar configuration.

In this configuration, I believe certbot can run in standalone mode with no webserver required.

Each host only needs to provide a redirect or proxy entry to the certbot host, rather than installing dependencies for certbot on every host.

Certs would be maintained for all domains in a single secure location, reducing the chance of missing renewals and simplifying administration.

Backups would be simplified and the entire certbot configuration can be easily copied to another host if needed.

Keys can be distributed to individual hosts using SCP automated with a simple script after each certbot renewal runs.

Change History (2)

comment:1 by robe, 5 years ago

Note that for the osgeo7 containers, the nginx container acts as the proxy so handles all the certs - now for nextcloud, and in future and others

comment:2 by robe, 4 years ago

Resolution: fixed
Status: newclosed

I'm going to close this out as all the old servers except for osgeo6 are using nginx proxy now which handles the certs.

Note: See TracTickets for help on using tickets.